I wrote a script a while back to check several of my IPs against many of the most widely used RBL blacklists each day, and it came up with a hit on uceprotect.net these last few days with my linode's IP. I don't know how widely used this blacklist is, though.

So I went to their website, and put my IP in to see why. It's not blacklisted because of my IP, or even the entire subnet(s) that it belongs to. So it's not because of any Linode spammers.

They're listing our subnets because we're under "GNAXNET-AS - Global Net Access, LLC", who has had over 300 spammers in the last week out of over 92,000 IPs. 0.3% spamming?

I work at an ISP. I know it's impossible to catch them all. Particularly with today's trojans, worms, viruses, and not to mention a recent one we've been fighting-- hijacked webmail logins for squirrelmail and so forth.

uceprotect claims that we (customers with IPs in these networks) are part of the problem by supporting a carrier that doesn't stop spammers. Bull****. Blacklists that list thousands of innocent mail servers are evil, and the ISP's first priority is to make sure the traffic goes through for their paying subscribers.

If any of you guys are using uceprotect to block spam, I'd recommend against using them. You'll be blocking linode customers.

</rant> :)

_________________
----
Ed/Bones.

Thanks for sharing. Can we do something against it?
Good up to date alternative blacklists are welcome

Hi,

I don't think this is a blanket wide ban on Linode IP's.

I run two mail servers on different Linodes and neither of the IP's appear to blocked by uceprotect.

The site I use to check my IP's is:

http://www.robtex.com/rbl.html

Cheers

I'm listed..

http://www.uceprotect.net/en/rblcheck.p ... .22.124.36

Their webpage is almost comical on the matter. To quote:



I find it funny that they have two massive buttons, PAYPAL and MONEYBROKERS next to the level-3 listing, to allow express removal of it.

It seems that they've blacklisted the entire AS3595, or in sum, 92,160 IPs because they have complaints about 316 of them.

Any RBL with an "accuracy" rate of 0.00343% isn't one that should be used in my book.

The entire RBL seems like a scam to me...

Any RBL that expands its range to punish innocent people ("don't support people who support spammers") is worthless. Sounds like this list is just the latest pathetic version.

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

This is an extortion racket along the lines of sorbs.net. This 'anti-spam' service may well be run by spammers - with their strange understanding of legal matters, poor grammar, and payment by PayPal - they sure act like spammers.

_________________
/ Peter

So the question should be: If Linodes ranges within GNAX are clean, why does Linode accepts GNAX having so much spammers.
They could also use cleaner datacenters.



That is 0.1% more than accepted by our standards.
So they perfectly match Level3 listing criterias.



I even worked in an providers abuse department in Switzerland before i was employed by Admins WebSecurity.

I have knowlege what is possible and what is not for providers.

A provider can clean up their act, most of all providers have 0.05 to 0.1 % abusers per 7days comparered to their total ip space.

Having 0.3 % as GNAX is really bad, even a sewer as VERIZON has 0.27%, which means they are cleaner than GNAX compared to their size.

Also very interesting to see 105500 providers are not able to get listed at Level 3 because they stay exteme below 0.2 % abusers per 7 days.

It Is possible that a provider can have *VERY* clean ranges if he really wants!



No one paying a sewer is innocent.
Evil are providers not having preventive measures.
A provider hosting webservers should at least have MODSECURITY on all servers.
Doing so makes it almost impossible to abuse weak scripts / unpatched cms / blogs / other crap dumb users might install.
A datacenter not using MODSECURITY is nothing than unprofessional.

You are part of the problem because you have accepted they ignore the problem and even think you must defend them.



You are ranting at the wrong place. You should have done so at GNAX.

Furthermore you can assume people using Level 3 for blocking do exactly know what they are doing. We have at this time listed providers as VERIZON at Level 3, so i really doubt Level 3 users will care about some webservers hosted at GNAX are also listed.

Level 3 is declared as an draconic list and used by BOFH's and other HARDLINERS out there.

Interesting to see that meanwhile also some providers are blocking at Level 3 and it does not make me whonder.

Why should a super clean provider having installed our 4 steps to prevent mailabuse allow lazy others to wast his resources and flooding his users?

Many people harrass us, because we are running a very hard and unforgiving course at UCEPROTECT-Network.

They are thinking we could be assholes which want to extort their money.

That is not true.

EXPRESSDELISTING IS AN OPTION ONLY, NOT A MUST.

I want to explain how we came to this option called "Expressdelisting".

In UCEPROTECT's early days (August 2001) the blocklists had public "removeme" Buttons, where listees could remove them self.

As spammers were beginning to abuse that with automated scripts we did secure it with a captcha. Then Spammers did hire persons in India and China to remove their listings manually.

That was the point where my predecessor got rid of "selfremovals" and then everyone was required to contact us to get removed before expiration.

If you ever run a public blocklist, you have clue what this means:
You have to read some thousand removal request per day, and all these guys are claiming to be completley innocent, and they all have fixed their problems.
Not necessary to say that 90% of them did find their way back into the list within minutes, because they had indeed NOT fixed their problems.

Somewhere in 2003 my predecessor has chosen that the only way to get out would be automatic expiration. You know what happened next, do you?

Some listees claimed that it would cost them thousands of dollars to be listed for a week, but
they would have fixed their problem and they are so sure that their problem is now fixed that THEY WOULD EVEN PAY FOR IT TO GET OUT IMMEDIATLEY.

Logic says: One would not waste money if he would't have fixed the problems.
You now know why there is an OPTIONAL Expressdelisting at UCEPROTECT.

We also think we have found a good balance between what is acceptable for someone who has really fixed his problems and needs his email and also expensive enough that spammers would not pay for.
Fees are 50 Euro for a single IP (Level 1), 150 for an allocation (Level 2), and 250 for complete ASN's (Level 3).
You have probaly seen that this is a large discount we give on Levels 2 and 3 compared with Level 1, so one can not compare us to BLARS.
And in fact: Most of those who payed have really fixed their problems and learned an unforgettable lesson: NEVER GO ONLINE AGAIN WITH AN INSECURE SYSTEM.

Ok lets come to our reasoning why we run UCEPROTECT-Network.
You know there are many public blocklists available, but they all do it wrong:

Their logic is to just stop infected machines from delivering spam to their users today.

That tactics really sucks because they can be very easy be gamed by spam-friendly providers.
It is nothing new that there are providers which are moving their spammers around in their address-space. They have no interest to block spam, because they want the spammers money as they want the money of regular users too.

Our mission is different. We want to stop all spam on this planet. Finally.

We meanwhile got so much popular that getting listed on Level 3 becomes a serios issue for providers.

I can tell you about 5 providers (within the last month) now blocking port 25 on all their dialups after they did end up in Level 3 and they have seen that we are the wrong persons to play games with.

There are 105898 AS-Numbers known at this time, but only between 250 - 300 or other said less then 0.3% are listed in UCEPROTECT-Level 3.

I guess that should tell you enough about them and their way to work.

Most people hate spam, but have no clue who is reponsible for that.
Our lookup tool is opening their eyes showing them how deep their own provider is involved in the spam problem or if he is one of the clean ones.

Assuming number of our users is growing the way it did in the last 4 years, then every provider ending up in Level 3 can enjoy his very own intranet latest by 2011/2012.

If that happens, it will be the ultimate end of spam.

This is what we and people using all our Levels for blocking want to happen.

It does not matter to us:
- If the complete anti-spam industry goes bankrupt after spam will be history.
- If spam-friendly providers will loose all their customers.
- If former spammers will have to search for real jobs.
- If no one can buy faked viagra or rolexes on the net.
- If UCEPROTECT is no longer needed in some years.

We had good lifes before spam came, and we will have good lifes after spam will be gone.

So now lets come to the point how i could be helpfull for Linode to get off Level 3:
I think you got the hint within this discussion.

Lever 3 lists ASN's. At this time Linode doesn't seems to have its own AS, thus suffering from GNAX lazyness or incompetence to clean up their mess.

We have no idea how much IP's Linode has, but we know about very small providers owning a /24 only, but having its own AS.

So why does Linode not also do so?

Linode's ranges will fell out of Level 3 automatically, because they would no longer be seens as part of AS 3595.

Claus von Wolfhausen
UCEPROTECT-Network

You should be better informed before posting next time, to prevent you will look like a fool in second place.

How did you came to the consens it would have an accuracy of 0.00343%?

You know AL IVERSON is one of the most respected blocklist experts in the world?

See his stats for UCEPROTECT-Level 3 here:
http://stats.dnsbl.com/uce3.html

In short it said Level 3 blocked 50.8% spam while it blocked 0.8% ham last week.

So even if it lists complete providers, it looks like UCEPROTECT-Level 3 is a very accurate blocklist and producing very low false positives.

I doubt SPEWS was ever such accurate.

Looks like we have listed the most spammiest ASN's in Level 3, and therefore you should now be informed what to be listed there says about GNAX.

Yours
Claus von Wolfhausen
UCEPROTECT-Network

You have to be kidding me, the GNAX network is used among both tranxactglobal.com and netdepot.com dedicated server companies (among others).

We have over 2000 dedicated servers between the two companies listed above. Each server comes with - by default 5 IPs but many have more as they are hosting servers with SSL etc.

Hell 6 servers with a /26 gets black listed out of ~ 5000 servers on our network between dedicated and colo customers and we are a spam shop.

Even if we had 50 full time abuse staff we could never keep it below that - just not possible - unless we were to click on that little paypal link...

_________________
Jordan Jacobs
Global Net Access

Wow, you think it is ok for someone having 2000 dedicated Servers resulting in 342 spamming IP's per week, do you?

See here:
http://www.uceprotect.net/en/rblcheck.php?asn=3595



I do not see how what you want to tell me with this 6 Servers ~ 5000 Server's example, but even if you click that paypal button, you would be back in a short timeframe, if you have not fixed your problems in first place.

For my understanding you are a datacenter and having lots of virtual servers on your dedicated servers.

That means you will have also many people as customers which never heared about insecure scripts, mysql injections and similar attacks.

You can not expect those to become security experts.
Hell they are endusers expecting you to protect their servers.

Why do you think you have to wait for abuse to happen and investigating afterwards?

That approach might have worked in 1995 but not in 2007.

You have to install preventive measures, so that your endcustomers lack of competence will not allow spammers to abuse your ranges.

Have you ever heared of MODSECURITY?

What do you think will happen if you install it on all your servers by default?

I can tell you: You might be able to run the abuse-department for 2000 servers as a one or two man show.

Modsecurity filters all kinds of attacks against webservers, even 0 day exploids are no longer a problem.

Even if some lame customers are going to install formmails of 1997 you wouldn't have a problem.

Best of all: MODSECURITY IS FREE!

So running a datacenter without modsecurity is just UNPROFESSIONAL.

Cheers

Claus von Wolfhausen
UCEPROTECT-Network

Face it, blocking thousands of legitimate mail servers does nothing but destroy the credibility of your blacklist. You think you're being hard on spammers but in reality you're being hard on those who would actually use your blacklist, destroying it's usefulness.

Sorry, I'm not buying your arguments.

_________________
----

Ed/Bones.

Why do you assume that it would be thousands of legitimate mail servers in a datacenter?

Expirience tells me that most servers found in datacenters by today are nothing than webservers.
They have MTA's installed because almost every distribution does so by default, not because they would be really needed.

No one reasonable would use an vserver in a datacenter to send important mails, because he would always be at risk to end up in point blocklists as SPAMHAUS, SORBS, SPAMCOP or even UCEPROTECT-Level 1, as soon as one of the other customers hosted on that machine installs a 1997 formmail and spammers abuse it.

So what important mail can we expect to come from a datacenter which has such a bad reputation that it got listed at Level 3?

I have not seen a single one up till today, but lots of spammails instead.

So the facts are that we are listing thousands of webservers where more than 300 of them have massive security holes.
As said an MTA from the default installation doens't make an Webserver a legitim Mailrelay.

Cheers
Claus von Wolfhausen
UCEPROTECT-Network

Given that each virtual machine has its own IP address, why would linode1 on hostA cause linode2 on hostA to appear in the black list? 1.2.3.4 is different to 1.2.3.5 and whether they're physically different colocated boxes or virtually colocated boxes makes no difference.

Unless the blacklist expands to cover the /24, /16, /8...

Oh wait. That's _your_ model.

_________________
Rgds

Stephen

(Linux user since kernel version 0.11)

Ok lets see the facts:
It was told to me that each of the dedicated servers would come with 5 IP's. You want to tell me that *every* vserver there has it's own IP?

You should also see the advantage given to you from UCEPROTECT (free of charge) :

Finally GNAX seems to have cleaned up their act after they got listed at UCEPROTECT-Level 3.

The daily expiration routine has delisted them about 1 hour ago, because there are only 85 abusers left where 184 would trigger a Level 3 listing.

That is not clean, but it is a beginning.

http://www.uceprotect.net/en/rblcheck.php?asn=3595

I guess they will better watch out next time, so you should now have better chances than ever to get your mails delivered to the world, even if you would use your webservers to do so.

Cheers
Claus von Wolfhausen
UCEPROTECT-Network

YES every Linode has its own IP, and most of us use our Linodes for all kinds of server-y stuff, especially and including sending mail.

Your ridiculous assumptions about what people should do with their server presences is as asinine as Verisign assuming that the Internet is just for surfing the Web.[/quote]